Re: KVM host UEFI allow guest UEFI Secure boot
Yes, I have tested and am able to run Windows Server 2016 and Server 2019 in secure mode with cloudstack as part of https://github.com/apache/cloudstack/pull/3638 pull request with cloudstack. With the recent version I haven't checked. Thanks & Regards, Pavan Aravapalli. Architect. https://www.linkedin.com/in/pavan-a-70995a27/ On Tue, 24 Jan 2023 at 16:18, Gary Dixon wrote: > Thanks Pavan > > Are you successfully running Windows Server VM's in uefi secure boot mode > in Cloudstack ? > > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: www.quadris.co.uk > The information contained in this e-mail from Quadris may be confidential > and privileged for the private use of the named recipient. The contents of > this e-mail may not necessarily represent the official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please destroy > any hard copies and delete this message. > -Original Message- > From: pavan aravapalli > Sent: 24 January 2023 07:47 > To: users@cloudstack.apache.org > Subject: Re: KVM host UEFI allow guest UEFI Secure boot > > Hi Gary, > > If you don't have any specific dependencies with Ubunut version try with > the latest Ubuntu 22.04, it has secure files. I verified and it supports > secure files. > > Thanks & Regards, > Pavan Aravapalli. > Architect. > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpavan-a-70995a27%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cf26e2c788cae4190af3008dafddf2f3a%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638101432282521311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lorVxhzKY8skt0LMTiDaby63B%2BA7EpSJv02hHNvzZls%3D&reserved=0 > > > > On Mon, 23 Jan 2023 at 23:08, Gary Dixon > > wrote: > > > Thanks Pavan > > > > Unfortunately, in the Ubuntu OVMF package it does not install a > > "OVMF_VARS.secboot.fd" file in the /usr/share/OVMF/ path This VARS > > file does not exist it appears on an ubuntu system. > > > > BR > > > > Gary > > > > Gary Dixon > > Senior Technical Consultant > > T: +44 161 537 4990 > > E: *v* <+44%207989717661>ms@quadris‑support.com > > W: > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q > > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cf26e2c788c > > ae4190af3008dafddf2f3a%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63 > > 8101432282521311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9sQKrpy2Xs > > 1yrXYliGQSfPtARsaafISJIJ17JTFhB4s%3D&reserved=0 > > The information contained in this e-mail from Quadris may be > > confidential and privileged for the private use of the named > > recipient. The contents of this e-mail may not necessarily represent the > official views of Quadris. > > If you have received this information in error you must not copy, > > distribute or take any action or reliance on its contents. Please > > destroy any hard copies and delete this message. > > -Original Message- > > From: pavan aravapalli > > Sent: 23 January 2023 11:48 > > To: gary.di...@quadris.co.uk.invalid > > Cc: users@cloudstack.apache.org > > Subject: Re: KVM host UEFI allow guest UEFI Secure boot > > > > I see wrong vars configured for secure VAR. * > template='/usr/share/OVMF/OVMF_VARS.fd'> * > > > > It should be something like > > "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", > > or the file should be like path to the OVMF_VARS.secboot.fd inside > > uefi.properties on the Ubuntu Host. I hope this helps. > > > > > > Thanks & Regards, > > Pavan Aravapalli. > > Architect. > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > > linkedin.com%2Fin%2Fpavan-a-70995a27%2F&data=05%7C01%7CGary.Dixon%40qu > > adris.co.uk%7Cf26e2c788cae4190af3008dafddf2f3a%7Cf1d6abf3d3b44894ae16d > > b0fb93a96a2%7C0%7C0%7C638101432282521311%7CUnknown%7CTWFpbGZsb3d8eyJWI > > joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7 > > C%7C%7C&sdata=lorVxhzKY8skt0LMTiDaby63B%2BA7EpSJv02hHNvzZls%3D&reserve > > d=0 > > > > > > > > > > On Fri, 20 Jan 2023 at 16:01, Gary Dixon > > > > > > wrote: > > > > > I think
RE: KVM host UEFI allow guest UEFI Secure boot
Thanks Pavan Are you successfully running Windows Server VM's in uefi secure boot mode in Cloudstack ? Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -Original Message- From: pavan aravapalli Sent: 24 January 2023 07:47 To: users@cloudstack.apache.org Subject: Re: KVM host UEFI allow guest UEFI Secure boot Hi Gary, If you don't have any specific dependencies with Ubunut version try with the latest Ubuntu 22.04, it has secure files. I verified and it supports secure files. Thanks & Regards, Pavan Aravapalli. Architect. https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpavan-a-70995a27%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cf26e2c788cae4190af3008dafddf2f3a%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638101432282521311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lorVxhzKY8skt0LMTiDaby63B%2BA7EpSJv02hHNvzZls%3D&reserved=0 On Mon, 23 Jan 2023 at 23:08, Gary Dixon wrote: > Thanks Pavan > > Unfortunately, in the Ubuntu OVMF package it does not install a > "OVMF_VARS.secboot.fd" file in the /usr/share/OVMF/ path This VARS > file does not exist it appears on an ubuntu system. > > BR > > Gary > > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cf26e2c788c > ae4190af3008dafddf2f3a%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63 > 8101432282521311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9sQKrpy2Xs > 1yrXYliGQSfPtARsaafISJIJ17JTFhB4s%3D&reserved=0 > The information contained in this e-mail from Quadris may be > confidential and privileged for the private use of the named > recipient. The contents of this e-mail may not necessarily represent the > official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please > destroy any hard copies and delete this message. > -Original Message- > From: pavan aravapalli > Sent: 23 January 2023 11:48 > To: gary.di...@quadris.co.uk.invalid > Cc: users@cloudstack.apache.org > Subject: Re: KVM host UEFI allow guest UEFI Secure boot > > I see wrong vars configured for secure VAR. * template='/usr/share/OVMF/OVMF_VARS.fd'> * > > It should be something like > "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", > or the file should be like path to the OVMF_VARS.secboot.fd inside > uefi.properties on the Ubuntu Host. I hope this helps. > > > Thanks & Regards, > Pavan Aravapalli. > Architect. > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > linkedin.com%2Fin%2Fpavan-a-70995a27%2F&data=05%7C01%7CGary.Dixon%40qu > adris.co.uk%7Cf26e2c788cae4190af3008dafddf2f3a%7Cf1d6abf3d3b44894ae16d > b0fb93a96a2%7C0%7C0%7C638101432282521311%7CUnknown%7CTWFpbGZsb3d8eyJWI > joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7 > C%7C%7C&sdata=lorVxhzKY8skt0LMTiDaby63B%2BA7EpSJv02hHNvzZls%3D&reserve > d=0 > > > > > On Fri, 20 Jan 2023 at 16:01, Gary Dixon > > > wrote: > > > I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on > > Ubuntu > > 20.04 > > > > > > > > I have evicted one of our hosts from the cloudstack cluster and > > added the /etc/cloudstack/agent/uefi.properties file. > > > > > > > > Cleared out the keystore and set the libvirtd.conf file back to > > listen_tls=0, listen_tcp=1 and re-added the host back in to the > > cluster in Cloudstack > > > > > > > > In the agent logs I can see that it detects the uefi.properties file > > and enumerates the paths. > > > > > > > > The host is added back into Cloudstack – but in the database in the > > “host_details” table I see the “host.uefi.enable” value is set to “false” > > for this host ? > > > > > > > > We then manually set “host.uefi.enable” to
Re: KVM host UEFI allow guest UEFI Secure boot
Hi Gary, If you don't have any specific dependencies with Ubunut version try with the latest Ubuntu 22.04, it has secure files. I verified and it supports secure files. Thanks & Regards, Pavan Aravapalli. Architect. https://www.linkedin.com/in/pavan-a-70995a27/ On Mon, 23 Jan 2023 at 23:08, Gary Dixon wrote: > Thanks Pavan > > Unfortunately, in the Ubuntu OVMF package it does not install a > "OVMF_VARS.secboot.fd" file in the /usr/share/OVMF/ path > This VARS file does not exist it appears on an ubuntu system. > > BR > > Gary > > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: www.quadris.co.uk > The information contained in this e-mail from Quadris may be confidential > and privileged for the private use of the named recipient. The contents of > this e-mail may not necessarily represent the official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please destroy > any hard copies and delete this message. > -Original Message- > From: pavan aravapalli > Sent: 23 January 2023 11:48 > To: gary.di...@quadris.co.uk.invalid > Cc: users@cloudstack.apache.org > Subject: Re: KVM host UEFI allow guest UEFI Secure boot > > I see wrong vars configured for secure VAR. * template='/usr/share/OVMF/OVMF_VARS.fd'> * > > It should be something like > "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", or > the file should be like path to the OVMF_VARS.secboot.fd inside > uefi.properties on the Ubuntu Host. I hope this helps. > > > Thanks & Regards, > Pavan Aravapalli. > Architect. > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpavan-a-70995a27%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd65b0c4aa7ee4160b06c08dafd37c31d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638100713210482703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RHcqVoV2VK44yi6KNcAaWhvyxy2ZsLvCYxF6Oa66LSI%3D&reserved=0 > > > > > On Fri, 20 Jan 2023 at 16:01, Gary Dixon > > wrote: > > > I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on > > Ubuntu > > 20.04 > > > > > > > > I have evicted one of our hosts from the cloudstack cluster and added > > the /etc/cloudstack/agent/uefi.properties file. > > > > > > > > Cleared out the keystore and set the libvirtd.conf file back to > > listen_tls=0, listen_tcp=1 and re-added the host back in to the > > cluster in Cloudstack > > > > > > > > In the agent logs I can see that it detects the uefi.properties file > > and enumerates the paths. > > > > > > > > The host is added back into Cloudstack – but in the database in the > > “host_details” table I see the “host.uefi.enable” value is set to “false” > > for this host ? > > > > > > > > We then manually set “host.uefi.enable” to true in the database > > > > > > > > I then provision a new instance and use a Windows Server2016 ISO to > > provision the machine on this uefi enabled host. I set the adv > > settings to > > BIOS: UEFI BOOT MODE: Secure > > > > The VM starts but when I console on to it there is an error message on > > the console window saying “*Guest has not initialized the display > > (yet)”* > > > > So at this point it appears we are unable to create any VM’s with uefi > > – secure boot enabled > > > > > > > > Has anyone suucessfully managed to get Windows VM’s with uefi secure > > boot enabled working in Cloudstack 4.15.2 with KVM hypervisor on > > Ubuntu 20.04 hosts ? > > > > > > > > > > > > A virsh dumpxml shows this: > > > > > > > > Windows Server 2016 (64-bit) > > > > 8388608 > > > > 8388608 > > > > 4 > > > > > > > > 3240 > > > > > > > > > > > > /machine > > > > > > > > > > > > > > > > Apache Software Foundation > > > > CloudStack KVM Hypervisor > > > > 39c9fa33-0ef2-463a-aff6-45b6e77d1c4d > > > > > > > > > > > > > > > > hvm > > > > > type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd > > > > > template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/39 > > c9fa33-0ef2-463a-
RE: KVM host UEFI allow guest UEFI Secure boot
Hi Wei Is your win11_VARS.fd file custom built ? In any case even if we could console onto the uefi secure boot enabled Windows based VM - it would be unusable as the KVM virtio drivers would not function as they are not signed by Microsoft - it seems only RHEL subscription users are entitled to get a copy of the virtio drivers that are signed by Microsoft BR Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -Original Message- From: Wei ZHOU Sent: 23 January 2023 15:44 To: users@cloudstack.apache.org Subject: Re: KVM host UEFI allow guest UEFI Secure boot Hi Gary, The detection of UEFI support was introduced by https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F6139&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C0e23ac6ecd944d42e30508dafd58bcd1%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638100854821175326%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=H46XIvR27lLVCUYimfe4QhN7PKyu0ezCoy79Ggeh2Xw%3D&reserved=0 in ACS 4.17.0.0 If you run 4.15.2, you need to update the database manually - as you did. For the issue with windows VM, I have a win11 vm on Ubuntu 22.04 which works fine. The xml definition of VM is as follows (just for your information) hvm /usr/share/OVMF/OVMF_CODE_4M.secboot.fd /var/lib/libvirt/qemu/nvram/win11_VARS.fd You may try with different UEFI settings, for example what Paven suggested. -Wei On Fri, 20 Jan 2023 at 11:31, Gary Dixon wrote: > I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on > Ubuntu > 20.04 > > > > I have evicted one of our hosts from the cloudstack cluster and added > the /etc/cloudstack/agent/uefi.properties file. > > > > Cleared out the keystore and set the libvirtd.conf file back to > listen_tls=0, listen_tcp=1 and re-added the host back in to the > cluster in Cloudstack > > > > In the agent logs I can see that it detects the uefi.properties file > and enumerates the paths. > > > > The host is added back into Cloudstack – but in the database in the > “host_details” table I see the “host.uefi.enable” value is set to “false” > for this host ? > > > > We then manually set “host.uefi.enable” to true in the database > > > > I then provision a new instance and use a Windows Server2016 ISO to > provision the machine on this uefi enabled host. I set the adv > settings to > BIOS: UEFI BOOT MODE: Secure > > The VM starts but when I console on to it there is an error message on > the console window saying “*Guest has not initialized the display > (yet)”* > > So at this point it appears we are unable to create any VM’s with uefi > – secure boot enabled > > > > Has anyone suucessfully managed to get Windows VM’s with uefi secure > boot enabled working in Cloudstack 4.15.2 with KVM hypervisor on > Ubuntu 20.04 hosts ? > > > > > > A virsh dumpxml shows this: > > > > Windows Server 2016 (64-bit) > > 8388608 > > 8388608 > > 4 > > > > 3240 > > > > > > /machine > > > > > > > > Apache Software Foundation > > CloudStack KVM Hypervisor > > 39c9fa33-0ef2-463a-aff6-45b6e77d1c4d > > > > > > > > hvm > > type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd > > template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/39 > c9fa33-0ef2-463a-aff6-45b6e77d1c4d.fd > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > destroy > > restart > > destroy > > > > /usr/bin/qemu-system-x86_64 > > > > > > > > > > > > 69bcfffc3c8a41ab876b > > > >unit='0'/> > > > > > > > >file='/mnt/45d6d957-afa2-371a-b0dc-b6e70ef17d97/035fa65a-4556-47b0-95c1-ac2db8ee054e.iso' > index='1'/> > >
RE: KVM host UEFI allow guest UEFI Secure boot
Thanks Pavan Unfortunately, in the Ubuntu OVMF package it does not install a "OVMF_VARS.secboot.fd" file in the /usr/share/OVMF/ path This VARS file does not exist it appears on an ubuntu system. BR Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -Original Message- From: pavan aravapalli Sent: 23 January 2023 11:48 To: gary.di...@quadris.co.uk.invalid Cc: users@cloudstack.apache.org Subject: Re: KVM host UEFI allow guest UEFI Secure boot I see wrong vars configured for secure VAR. * * It should be something like "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", or the file should be like path to the OVMF_VARS.secboot.fd inside uefi.properties on the Ubuntu Host. I hope this helps. Thanks & Regards, Pavan Aravapalli. Architect. https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpavan-a-70995a27%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd65b0c4aa7ee4160b06c08dafd37c31d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638100713210482703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RHcqVoV2VK44yi6KNcAaWhvyxy2ZsLvCYxF6Oa66LSI%3D&reserved=0 On Fri, 20 Jan 2023 at 16:01, Gary Dixon wrote: > I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on > Ubuntu > 20.04 > > > > I have evicted one of our hosts from the cloudstack cluster and added > the /etc/cloudstack/agent/uefi.properties file. > > > > Cleared out the keystore and set the libvirtd.conf file back to > listen_tls=0, listen_tcp=1 and re-added the host back in to the > cluster in Cloudstack > > > > In the agent logs I can see that it detects the uefi.properties file > and enumerates the paths. > > > > The host is added back into Cloudstack – but in the database in the > “host_details” table I see the “host.uefi.enable” value is set to “false” > for this host ? > > > > We then manually set “host.uefi.enable” to true in the database > > > > I then provision a new instance and use a Windows Server2016 ISO to > provision the machine on this uefi enabled host. I set the adv > settings to > BIOS: UEFI BOOT MODE: Secure > > The VM starts but when I console on to it there is an error message on > the console window saying “*Guest has not initialized the display > (yet)”* > > So at this point it appears we are unable to create any VM’s with uefi > – secure boot enabled > > > > Has anyone suucessfully managed to get Windows VM’s with uefi secure > boot enabled working in Cloudstack 4.15.2 with KVM hypervisor on > Ubuntu 20.04 hosts ? > > > > > > A virsh dumpxml shows this: > > > > Windows Server 2016 (64-bit) > > 8388608 > > 8388608 > > 4 > > > > 3240 > > > > > > /machine > > > > > > > > Apache Software Foundation > > CloudStack KVM Hypervisor > > 39c9fa33-0ef2-463a-aff6-45b6e77d1c4d > > > > > > > > hvm > > type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd > > template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/39 > c9fa33-0ef2-463a-aff6-45b6e77d1c4d.fd > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > destroy > > restart > > destroy > > > > /usr/bin/qemu-system-x86_64 > > > > > > > > > > > > 69bcfffc3c8a41ab876b > > > >unit='0'/> > > > > > > > >file='/mnt/45d6d957-afa2-371a-b0dc-b6e70ef17d97/035fa65a-4556-47b0-95c1-ac2db8ee054e.iso' > index='1'/> > > > > > > > > > >unit='3'/> > > > > > > > >function='0x0'/> > > > &g
Re: KVM host UEFI allow guest UEFI Secure boot
Hi Gary, The detection of UEFI support was introduced by https://github.com/apache/cloudstack/pull/6139 in ACS 4.17.0.0 If you run 4.15.2, you need to update the database manually - as you did. For the issue with windows VM, I have a win11 vm on Ubuntu 22.04 which works fine. The xml definition of VM is as follows (just for your information) hvm /usr/share/OVMF/OVMF_CODE_4M.secboot.fd /var/lib/libvirt/qemu/nvram/win11_VARS.fd You may try with different UEFI settings, for example what Paven suggested. -Wei On Fri, 20 Jan 2023 at 11:31, Gary Dixon wrote: > I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on Ubuntu > 20.04 > > > > I have evicted one of our hosts from the cloudstack cluster and added the > /etc/cloudstack/agent/uefi.properties file. > > > > Cleared out the keystore and set the libvirtd.conf file back to > listen_tls=0, listen_tcp=1 and re-added the host back in to the cluster in > Cloudstack > > > > In the agent logs I can see that it detects the uefi.properties file and > enumerates the paths. > > > > The host is added back into Cloudstack – but in the database in the > “host_details” table I see the “host.uefi.enable” value is set to “false” > for this host ? > > > > We then manually set “host.uefi.enable” to true in the database > > > > I then provision a new instance and use a Windows Server2016 ISO to > provision the machine on this uefi enabled host. I set the adv settings to > BIOS: UEFI BOOT MODE: Secure > > The VM starts but when I console on to it there is an error message on the > console window saying “*Guest has not initialized the display (yet)”* > > So at this point it appears we are unable to create any VM’s with uefi – > secure boot enabled > > > > Has anyone suucessfully managed to get Windows VM’s with uefi secure boot > enabled working in Cloudstack 4.15.2 with KVM hypervisor on Ubuntu 20.04 > hosts ? > > > > > > A virsh dumpxml shows this: > > > > Windows Server 2016 (64-bit) > > 8388608 > > 8388608 > > 4 > > > > 3240 > > > > > > /machine > > > > > > > > Apache Software Foundation > > CloudStack KVM Hypervisor > > 39c9fa33-0ef2-463a-aff6-45b6e77d1c4d > > > > > > > > hvm > > type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd > > template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/39c9fa33-0ef2-463a-aff6-45b6e77d1c4d.fd > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > destroy > > restart > > destroy > > > > /usr/bin/qemu-system-x86_64 > > > > > > > > > > > > 69bcfffc3c8a41ab876b > > > > > > > > > > > >file='/mnt/45d6d957-afa2-371a-b0dc-b6e70ef17d97/035fa65a-4556-47b0-95c1-ac2db8ee054e.iso' > index='1'/> > > > > > > > > > > > > > > > > > >function='0x0'/> > > > > > > > >function='0x2'/> > > > > > > > > > > > > > >function='0x0'/> > > > > > > > > > > > >function='0x0' multifunction='on'/> > > > > > > > > > >function='0x0'/> > > > > > > > > > > > >function='0x1'/> > > > > > > > > > > > >function='0x2'/> > > > > > > > > > > > >function='0x3'/> > > > > > > > > > > > > > > > > > > > > > > > > > >function='0x0'/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >path='/var/lib/libvirt/qemu/i-2-1811-VM.org.qemu.guest_agent.0'/> > >state='disconnected'/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >function='0x0'/> > > > > > > > >function='0x0'/> > > > > > > > > > > +0:+0 > > +0:+0 > > > > > > > > > > > > > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: www.quadris.co.uk > The information contained in this e-mail from Quadris may be confidential > and privileged for the private use of the named recipient. The contents of > this e-mail may not necessarily represent the official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please destroy > any hard copies and delete this message. > > >
Re: KVM host UEFI allow guest UEFI Secure boot
I see wrong vars configured for secure VAR. * * It should be something like "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", or the file should be like path to the OVMF_VARS.secboot.fd inside uefi.properties on the Ubuntu Host. I hope this helps. Thanks & Regards, Pavan Aravapalli. Architect. https://www.linkedin.com/in/pavan-a-70995a27/ On Fri, 20 Jan 2023 at 16:01, Gary Dixon wrote: > I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on Ubuntu > 20.04 > > > > I have evicted one of our hosts from the cloudstack cluster and added the > /etc/cloudstack/agent/uefi.properties file. > > > > Cleared out the keystore and set the libvirtd.conf file back to > listen_tls=0, listen_tcp=1 and re-added the host back in to the cluster in > Cloudstack > > > > In the agent logs I can see that it detects the uefi.properties file and > enumerates the paths. > > > > The host is added back into Cloudstack – but in the database in the > “host_details” table I see the “host.uefi.enable” value is set to “false” > for this host ? > > > > We then manually set “host.uefi.enable” to true in the database > > > > I then provision a new instance and use a Windows Server2016 ISO to > provision the machine on this uefi enabled host. I set the adv settings to > BIOS: UEFI BOOT MODE: Secure > > The VM starts but when I console on to it there is an error message on the > console window saying “*Guest has not initialized the display (yet)”* > > So at this point it appears we are unable to create any VM’s with uefi – > secure boot enabled > > > > Has anyone suucessfully managed to get Windows VM’s with uefi secure boot > enabled working in Cloudstack 4.15.2 with KVM hypervisor on Ubuntu 20.04 > hosts ? > > > > > > A virsh dumpxml shows this: > > > > Windows Server 2016 (64-bit) > > 8388608 > > 8388608 > > 4 > > > > 3240 > > > > > > /machine > > > > > > > > Apache Software Foundation > > CloudStack KVM Hypervisor > > 39c9fa33-0ef2-463a-aff6-45b6e77d1c4d > > > > > > > > hvm > > type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd > > template='/usr/share/OVMF/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/39c9fa33-0ef2-463a-aff6-45b6e77d1c4d.fd > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > destroy > > restart > > destroy > > > > /usr/bin/qemu-system-x86_64 > > > > > > > > > > > > 69bcfffc3c8a41ab876b > > > > > > > > > > > >file='/mnt/45d6d957-afa2-371a-b0dc-b6e70ef17d97/035fa65a-4556-47b0-95c1-ac2db8ee054e.iso' > index='1'/> > > > > > > > > > > > > > > > > > >function='0x0'/> > > > > > > > >function='0x2'/> > > > > > > > > > > > > > >function='0x0'/> > > > > > > > > > > > >function='0x0' multifunction='on'/> > > > > > > > > > >function='0x0'/> > > > > > > > > > > > >function='0x1'/> > > > > > > > > > > > >function='0x2'/> > > > > > > > > > > > >function='0x3'/> > > > > > > > > > > > > > > > > > > > > > > > > > >function='0x0'/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > path='/var/lib/libvirt/qemu/i-2-1811-VM.org.qemu.guest_agent.0'/> > >state='disconnected'/> > > > >
RE: KVM host UEFI allow guest UEFI Secure boot
I think this is possibly a bug in CS 4.15.2 with KVM hypervisor on Ubuntu 20.04 I have evicted one of our hosts from the cloudstack cluster and added the /etc/cloudstack/agent/uefi.properties file. Cleared out the keystore and set the libvirtd.conf file back to listen_tls=0, listen_tcp=1 and re-added the host back in to the cluster in Cloudstack In the agent logs I can see that it detects the uefi.properties file and enumerates the paths. The host is added back into Cloudstack – but in the database in the “host_details” table I see the “host.uefi.enable” value is set to “false” for this host ? We then manually set “host.uefi.enable” to true in the database I then provision a new instance and use a Windows Server2016 ISO to provision the machine on this uefi enabled host. I set the adv settings to BIOS: UEFI BOOT MODE: Secure The VM starts but when I console on to it there is an error message on the console window saying “Guest has not initialized the display (yet)” So at this point it appears we are unable to create any VM’s with uefi – secure boot enabled Has anyone suucessfully managed to get Windows VM’s with uefi secure boot enabled working in Cloudstack 4.15.2 with KVM hypervisor on Ubuntu 20.04 hosts ? A virsh dumpxml shows this: Windows Server 2016 (64-bit) 8388608 8388608 4 3240 /machine Apache Software Foundation CloudStack KVM Hypervisor 39c9fa33-0ef2-463a-aff6-45b6e77d1c4d hvm /usr/share/OVMF/OVMF_CODE.secboot.fd /var/lib/libvirt/qemu/nvram/39c9fa33-0ef2-463a-aff6-45b6e77d1c4d.fd destroy restart destroy /usr/bin/qemu-system-x86_64 69bcfffc3c8a41ab876b +0:+0 +0:+0 Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. From: Gary Dixon Sent: 19 January 2023 14:35 To: users@cloudstack.apache.org Subject: RE: KVM host UEFI allow guest UEFI Secure boot I think I just solved this myself – in the qemu.conf file I see : #nvram = [ # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" #] So in Ubuntu 20.04 there is no reference to OVMF_VARS.secure.fd for the nvram template Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: vms@quadris‑support.com W: www.quadris.co.uk<http://www.quadris.co.uk> [cid:image828463.png@1B150A60.0CBE8265] The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. From: Gary Dixon mailto:gary.di...@quadris.co.uk.INVALID>> Sent: 19 January 2023 13:55 To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> Subject: RE: KVM host UEFI allow guest UEFI Secure boot Thanks for all your quick responses On our Ubuntu 20.04 hosts it appears that the OVMF files are located in "/usr/share/OVMF/" directory - however the OVMF_VARS.secboot.fd file is not there ? : root@qcloud-s2-p1-c1-kvm4:~# ls -al /usr/share/OVMF/ total 4232 drwxr-xr-x 2 root root 4096 Mar 9 2022 . drwxr-xr-x 151 root root 4096 Apr 2 2022 .. -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.fd lrwxrwxr
RE: KVM host UEFI allow guest UEFI Secure boot
I think I just solved this myself – in the qemu.conf file I see : #nvram = [ # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" #] So in Ubuntu 20.04 there is no reference to OVMF_VARS.secure.fd for the nvram template Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. From: Gary Dixon Sent: 19 January 2023 13:55 To: users@cloudstack.apache.org Subject: RE: KVM host UEFI allow guest UEFI Secure boot Thanks for all your quick responses On our Ubuntu 20.04 hosts it appears that the OVMF files are located in "/usr/share/OVMF/" directory - however the OVMF_VARS.secboot.fd file is not there ? : root@qcloud-s2-p1-c1-kvm4:~# ls -al /usr/share/OVMF/ total 4232 drwxr-xr-x 2 root root 4096 Mar 9 2022 . drwxr-xr-x 151 root root 4096 Apr 2 2022 .. -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.fd lrwxrwxrwx 1 root root 20 Sep 20 2021 OVMF_CODE.ms.fd -> OVMF_CODE.secboot.fd -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.secboot.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.ms.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.snakeoil.fd Is this needed in the uefi.properties config file ? BR Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: vms@quadris‑support.com W: www.quadris.co.uk<http://www.quadris.co.uk> [cid:image385073.png@E0A53755.B8760DA1] The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -Original Message- From: vas...@gmx.de<mailto:vas...@gmx.de> mailto:vas...@gmx.de>> Sent: 19 January 2023 13:42 To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> Subject: Re: KVM host UEFI allow guest UEFI Secure boot Not the direct solution but maybe some bits of information for your further efforts: Overall description of the feature https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCLOUDSTACK%2FEnable%2BUEFI%2Bbooting%2Bfor%2BInstance&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8Q5jWBGmCYA82hk6NmrVESq%2F%2BwkdzSKKn9MbJsPjA%2BM%3D&reserved=0 User guide + example to enable secure boot https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flab.piszki.pl%2Fcloudstack-vm-with-vtpm-and-secure-boot-uefi%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o312PhI9IqAYJEgn8dY4EQliP4p4W4Ry9iJ4XuKsSVA%3D&reserved=0 Gitlab - Issue with further informations on deploying that capability https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F4238&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HDMzobnzON4SpjRT9VZFXNtvd7RMpVluNwjcF1TQDvo%3D&reserved=0 regards, Chris Am Do., 19. Jan. 2023 um 14:09 Uhr schrieb Gary Dixon mailto:gary.di...@quadris.co.uk.invalid>>: > Hi everyone > > > > CS : 4.15.2 > > Hypervisor: KVM > > OS: Ubuntu 20.04 > > > > Apologies if this has been discussed before. > > We have a requirement to create Windows server templates with UEFI > Secure boot enabled and in testing find that our instances are being > created with Legacy BIOS enabled. > > I
RE: KVM host UEFI allow guest UEFI Secure boot
Thanks for all your quick responses On our Ubuntu 20.04 hosts it appears that the OVMF files are located in "/usr/share/OVMF/" directory - however the OVMF_VARS.secboot.fd file is not there ? : root@qcloud-s2-p1-c1-kvm4:~# ls -al /usr/share/OVMF/ total 4232 drwxr-xr-x 2 root root4096 Mar 9 2022 . drwxr-xr-x 151 root root4096 Apr 2 2022 .. -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.fd lrwxrwxrwx 1 root root 20 Sep 20 2021 OVMF_CODE.ms.fd -> OVMF_CODE.secboot.fd -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.secboot.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.ms.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.snakeoil.fd Is this needed in the uefi.properties config file ? BR Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -Original Message- From: vas...@gmx.de Sent: 19 January 2023 13:42 To: users@cloudstack.apache.org Subject: Re: KVM host UEFI allow guest UEFI Secure boot Not the direct solution but maybe some bits of information for your further efforts: Overall description of the feature https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCLOUDSTACK%2FEnable%2BUEFI%2Bbooting%2Bfor%2BInstance&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8Q5jWBGmCYA82hk6NmrVESq%2F%2BwkdzSKKn9MbJsPjA%2BM%3D&reserved=0 User guide + example to enable secure boot https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flab.piszki.pl%2Fcloudstack-vm-with-vtpm-and-secure-boot-uefi%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o312PhI9IqAYJEgn8dY4EQliP4p4W4Ry9iJ4XuKsSVA%3D&reserved=0 Gitlab - Issue with further informations on deploying that capability https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F4238&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HDMzobnzON4SpjRT9VZFXNtvd7RMpVluNwjcF1TQDvo%3D&reserved=0 regards, Chris Am Do., 19. Jan. 2023 um 14:09 Uhr schrieb Gary Dixon : > Hi everyone > > > > CS : 4.15.2 > > Hypervisor: KVM > > OS: Ubuntu 20.04 > > > > Apologies if this has been discussed before. > > We have a requirement to create Windows server templates with UEFI > Secure boot enabled and in testing find that our instances are being > created with Legacy BIOS enabled. > > I checked our KVM hosts and they have the ovmf package installed – > however there is no uefi.properties file in the /etc/cloudstack/agent > directory > > How do I enable the KVM hosts to support Cloudstack guests with UEFI > Secure boot bios ? > > Also will this ‘break’ all current running VM’s that have the Legacy > BIOS enabled or will they still be able to run ? > > > > BR > > > > Gary > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3 > bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63 > 8097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M9uXGY9aAT > 4z8oYezjiqrFQ6%2FH9nDV4ZmDOXn6RxUB4%3D&reserved=0 > The information contained in this e-mail from Quadris may be > confidential and privileged for the private use of the named > recipient. The contents of this e-mail may not necessarily represent the > official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please > destroy any hard copies and delete this message. >
Re: KVM host UEFI allow guest UEFI Secure boot
Not the direct solution but maybe some bits of information for your further efforts: Overall description of the feature https://cwiki.apache.org/confluence/display/CLOUDSTACK/Enable+UEFI+booting+for+Instance User guide + example to enable secure boot https://lab.piszki.pl/cloudstack-vm-with-vtpm-and-secure-boot-uefi/ Gitlab - Issue with further informations on deploying that capability https://github.com/apache/cloudstack/issues/4238 regards, Chris Am Do., 19. Jan. 2023 um 14:09 Uhr schrieb Gary Dixon : > Hi everyone > > > > CS : 4.15.2 > > Hypervisor: KVM > > OS: Ubuntu 20.04 > > > > Apologies if this has been discussed before. > > We have a requirement to create Windows server templates with UEFI Secure > boot enabled and in testing find that our instances are being created with > Legacy BIOS enabled. > > I checked our KVM hosts and they have the ovmf package installed – however > there is no uefi.properties file in the /etc/cloudstack/agent directory > > How do I enable the KVM hosts to support Cloudstack guests with UEFI > Secure boot bios ? > > Also will this ‘break’ all current running VM’s that have the Legacy BIOS > enabled or will they still be able to run ? > > > > BR > > > > Gary > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: www.quadris.co.uk > The information contained in this e-mail from Quadris may be confidential > and privileged for the private use of the named recipient. The contents of > this e-mail may not necessarily represent the official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please destroy > any hard copies and delete this message. >
Re: KVM host UEFI allow guest UEFI Secure boot
I think the VMs with Legacy BIOS are not impacted. Maybe others can confirm it. For the uefi properties, please refer to https://github.com/apache/cloudstack/issues/4238#issuecomment-773908266 -Wei On Thu, 19 Jan 2023 at 14:10, Gary Dixon wrote: > Hi everyone > > > > CS : 4.15.2 > > Hypervisor: KVM > > OS: Ubuntu 20.04 > > > > Apologies if this has been discussed before. > > We have a requirement to create Windows server templates with UEFI Secure > boot enabled and in testing find that our instances are being created with > Legacy BIOS enabled. > > I checked our KVM hosts and they have the ovmf package installed – however > there is no uefi.properties file in the /etc/cloudstack/agent directory > > How do I enable the KVM hosts to support Cloudstack guests with UEFI > Secure boot bios ? > > Also will this ‘break’ all current running VM’s that have the Legacy BIOS > enabled or will they still be able to run ? > > > > BR > > > > Gary > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: www.quadris.co.uk > The information contained in this e-mail from Quadris may be confidential > and privileged for the private use of the named recipient. The contents of > this e-mail may not necessarily represent the official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please destroy > any hard copies and delete this message. >